CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered critical vulnerability affecting a widely used Magento extension to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active attacks in the wild.

The flaw, tracked as CVE-2026-45247, impacts the Mirasvit Full Page Cache Warmer extension used in Magento-based e-commerce platforms. Security researchers warn that the vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected servers.

Critical Remote Code Execution Flaw

With a CVSS score of 9.8, the vulnerability stems from unsafe deserialization of untrusted data. Attackers can exploit the issue by sending a specially crafted serialized PHP object through the CacheWarmer cookie, triggering remote code execution on vulnerable systems.

Security documentation notes that all versions of the extension prior to 1.11.12 are affected, with a patch released on May 25, 2026.

The flaw is categorized as a PHP object injection (CWE-502) issue, which occurs when applications unserialize user-controlled data without proper validation.

Active Exploitation in the Wild

Security firm Sansec first warned that the vulnerability could be triggered through any storefront request containing a malicious CacheWarmer cookie. The attack requires no authentication, making it particularly dangerous for exposed e-commerce websites.

Researchers estimate that roughly 6,000 online stores may be running vulnerable extensions, though the real number could be higher due to traffic obscuring tools like CDNs.

Another cybersecurity company, Imperva, confirmed that active exploitation attempts have already been observed. Attackers have been seen using encoded payloads designed to execute system-level commands such as system() on compromised servers.

Attack Activity Targets Global Websites

Reports indicate that malicious activity has been aimed primarily at gaming platforms and commercial websites. The most affected regions include the United States, United Kingdom, France, and Australia.

Although the identity of the attackers remains unknown, analysts believe the goal is to identify vulnerable Magento installations and verify remote code execution capabilities for further exploitation.

Government Response and Urgent Patch Orders

Following the discovery of active exploitation, U.S. federal civilian agencies have been instructed to apply available security patches by June 6, 2026, as part of emergency mitigation efforts.

Security experts are also advising private organizations to immediately review logs for suspicious CacheWarmer cookie activity. Indicators of compromise include encoded values beginning with “Tz,” “Qz,” or “YT”, which may signal malicious serialized PHP payloads.

Growing Concern Over E-Commerce Security

The incident highlights ongoing risks in third-party extensions used across e-commerce platforms. Security researchers warn that widely deployed plugins can become high-value attack vectors when vulnerabilities are discovered.

With exploitation already underway, experts emphasize that unpatched Magento environments remain at immediate risk of full system compromise.